- Two-thirds of organizations incurred "significant losses" due to a ransomware attack, according to a Cybereason survey of more than 1,200 cybersecurity professionals globally. The size of the company does not influence the losses, the study released Wednesday found.
- Cyber insurance did not cover all of their costs related to a ransomware attack for 42% of respondents. The results suggest some companies may not have the proper insurance, Cybereason said.
- Tenure for CISOs has been decreasing, with executives remaining at a company between 18 to 26 months, according to the report. Though the average tends to be about 15 months, according to Sam Curry, CSO at Cybereason, in an email to Cybersecurity Dive. Almost one-third of respondents said they "lost top leadership" due to a ransomware attack, either from dismissal or resignation.
Knowing how ransomware gangs compromise a system is significant for mitigation. If a company cannot determine how a threat actor got in, they may be more inclined to pay.
JBS USA said it paid its attackers to prevent further disruption as it is still investigating how the attackers compromised systems. But Cybereason found 80% of organizations that paid still suffered another attack, with 46% of respondents saying they think the second attack was done by the same bad actors.
If an intrusion entrance is not closed, despite paying a ransom, attackers will reuse their tactics, though their strategies evolve. Ransomware operators have changed their initial access strategies over the years. Beginning in 2018, ransomware began to drop as first-stage campaigns, Proofpoint found. Security tools, including threat detection and encryption activities which reduced payouts, moved the needle away from first-stage attacks. However, the pivot also led to more human-operated attacks.
Currently, ransomware gangs largely use banking trojan distributors for deploying malware. Those distributors might eventually latch onto the ransomware group and its other affiliates. Banking trojans are used as ransomware loaders, but ransomware "is not the only second-stage payload associated with the identified malware," Proofpoint found. Threat actors pursue software vulnerabilities or unsecure remote access.
Chris Inglis, nominee for national cyber director, wants to see the U.S. holding companies accountable "not so much for paying the ransom but for being in a position where they had to pay the ransom in the first place," he said during his confirmation hearing June 10.
While it's "not appropriate" to pay a ransom, "unfortunately, we get into a place where that is the only thing that is feasible to save lives or to bring back critical capabilities," Inglis said. Out of context, it is difficult to definitively say paying a ransom is always inexcusable.
The impact ransomware can have on a business is wide-ranging. It can lead to companywide shakeups — 29% of respondents said they had to layoff employees following an attack, according to the Cybereason report. Industries most vulnerable to job eliminations following a ransomware attack include automotive, retail, and legal, whereas the government reported virtually no job impacts.
CISO tenure has historically been shorter than other C-suite officials, Curry said. "That said, CISOs also don't have a problem getting rehired given the talent shortage."Some CISOs are hired because of their experience during an incident.
Almost half of Cybereason's respondents, who indicated they had paid a ransom, said they got their data back, though some of it was corrupted, and more than half (51%) said they regained all of it. Some security experts argue it is difficult for businesses to ever know if "all" of their data was restored.
Sophisticated, enterprise-grade ransomware operators depend on customer service — if they keep their word, companies trust them enough to pay. The study found only 3% of respondents were unable to decrypt their data after paying.
"There is no good option available for a successful ransomware attack," despite tools like insurance and backups, Curry said. "Double extortion puts your data at risk despite backups and paying the ransom," and it might lead to another attack.